Data Protection Guidelines for the promotion of good practice. Processing of personal data by credit referencing institutions

Transcription

1 Data Protection Guidelines for the promotion of good practice Processing of personal data by credit referencing institutions Preamble 01. In terms of article 40(g) of the Data Protection Act (Cap 440) hereinafter referred to as the Act, and in accordance with his function to encourage the drawing up of suitable codes of conduct by the various sectors affected by the provisions of this Act, the Commissioner is issuing the following guidelines aimed at promoting good practice in the use of personal data for credit referencing purposes. 02. In the absence of a specific legal framework regulating the area of credit referencing, the Commissioner felt the need to develop guidelines on a common interpretation of data protection rules applicable to this sector. 03. Given that these guidelines are based on current practices, the Commissioner will take into account future development and if necessary introduce specific amendments, or issue further guidance after consultation with the sector. Terminology 04. Unless otherwise specified in these guidelines, the definitions contained in article 2 of the Act shall be applicable. 05. In addition; "credit application/relationship" shall mean any application or relationship concerning the granting of credit, guarantees or similar instruments in the exercise of commercial and/or professional activities, in the form of a payment extension, a loan, guarantee or any other similar financial support or relationship; "credit information system" shall mean any database concerning credit applications/relationships that is centrally managed by a legal person, an organisation, an association and/or another private body and can only be accessed by the authorised entities communicating the information recorded therein and participating in the relevant information system; "credit referencing agency (CRA)" shall mean any private entity acting as controller of the processing of the personal data recorded in a credit information system and managing said system by setting out the mechanisms, rules and procedures applying to its operation and use; 1

2 "participant" shall mean any person that acts as a controller of the processing of the personal data that are collected in connection with credit applications/ relationships, participates in the relevant credit information system based on an agreement and/or contract with the CRA, and can use the data contained in the system, being under the obligation to notify the CRA systematically of said personal data as related to credit applications/relationships within the framework of mutual data exchanges with other participants; defaulting debts shall mean pending financial obligations arising from the provision of goods or services on credit which are not honoured according to the terms regulating a credit application/ relationship. Similar financial obligations also include dishonoured payments by cheque, including bills of exchange and debts arising or otherwise re-established further to Court judgements or other executive titles in relation to the provision of goods or services; "automated credit scoring techniques and/or systems" shall mean mechanisms used to process personal data related to credit applications/relationships, and consisting in the use of automated features based on statistical methods or models with a view to assessing credit risk. Scope and Applicability 06. These guidelines are primarily intended to promote good practice amongst organisations operating as a CRA and participating entities having access to a credit information system. 07. The document is of particular interest to specific stakeholders involved in the field of credit facilities, loans, or other forms of payment extensions, such as banks and other related financial institutions, the business community at large and individual consumers. 08. Where organisations have already developed internal procedures addressing issues which are contained in these guidelines, such procedures shall be reviewed accordingly to reflect the interpretation contained in this document. 09. These guidelines are only applicable to the processing of personal information relating to data subjects acting in their own personal capacity, which data, is used for the purposes of creating and maintaining a credit information system regarding defaulting debts and is made available to participants offering consumer credit or any other form of payment extension. 10. Therefore the processing of personal data in the context of a data subject s involvement in a business activity, being a sole trader or in representation of a company shall not be considered for the purposes of these guidelines. In addition, the processing of data in relation to legal persons or liability companies falls 2

3 outside the scope of the Act and therefore these guidelines are not intended to cover similar data processing. This notwithstanding, CRAs are free to apply the same principles and modus operandi across the board. Legality for data processing 11. Having regard to the benefits derived by the business community from credit information systems, and taking due consideration of the right to privacy of data subjects; 12. It shall be lawful for CRAs to process personal data in relation to defaulting debts for the purposes of compiling, maintaining and making available a credit information system to their participants whose business activity requires knowledge on credit applications/relationships and can demonstrate a legitimate interest within the meaning of article 9(f) of the Act, in making use of such information. 13. In this respect CRAs shall regulate such participants by means of a written agreement which shall specify the terms of use and participation in the credit information system including the data protection measures contained in these guidelines. Prior Authorisation of the Commissioner 14. Any organisation intending to operate as CRA shall, before carrying out any data processing, subject its operations to a prior-checking evaluation of the Commissioner in accordance with article 34 of the Act. 15. Any organisation already in operation on the bringing into effect of these guidelines shall also subject its operations to an assessment by the Commissioner. 16. The requirement for prior-checking shall also apply in cases where a credit referencing agency introduces new forms of processing in addition to those already approved by the Commissioner in the initial evaluation, where such processing may involve particular risks of improper interference with the privacy of data subjects. 17. The Commissioner is empowered to carry out periodic reviews of the processing operations undertaken by credit referencing agencies and shall carry out such reviews as he deems necessary. 3

4 Notification 18. Besides the mandatory notification for prior-checking required in terms of article 34, the standard notification of the data processes required under article 29 of the Act, shall be submitted to the Commissioner accordingly. Such notification shall be updated regularly to include any new processes or amendments in the original form. The requirement for a standard notification is also applicable to participants since they are acting as data controllers with respect to the information obtained from credit referencing agencies, and other general information processed for their day-to-day business activities. Purposes of processing 19. The personal data contained in a credit information system may only be processed by the CRA and participants for the purpose of protecting credit and limiting the relevant risks, and in particular, to assess data subjects' financial status and creditworthiness or anyhow their reliability and timeliness of payment. 20. No other purposes may be pursued, such as market research or the promotion, advertising, direct selling of products or services. Data Collection and Processing 21. CRAs may collect and process personal data in relation to defaulting debts arising from credit relationships entered into by their participants, provided that the data subject does not object on reasonable grounds to the collection of such data. Where a data subject defaults in relation to payment obligations arising from a credit relationship with a participant, the participant shall be entitled to provide such information to the CRA, together with all the necessary evidence, in order to allow for the registration of the defaulters in the credit information system. Such data shall be duly verified initially by the participant and then by the CRA prior to its recording in the system. Apart from the information relating to defaulting debts, participants may also disclose personal data concerning debts which were positively settled during the stipulated terms established under a credit relationship, provided that such a disclosure to the CRA, may only occur with the freely given and informed consent of the data subject within the meaning of Article 9(a) of the Act. 22. In addition CRAs may also collect and process personal data which is made publicly available by the Court Registrar in relation to civil Court sentences or decisions specifically relating to the financial obligations or status of data subjects, and in particular where such individuals are ordered to settle a defaulting debt. Such data may be registered in the credit information system, further to the necessary 4

5 verifications being made and provided that upon displaying such information, CRAs shall clearly indicate that the information was obtained from a public source, and shall specify the source from where it was obtained. 23. In order to ensure correctness of the information being processed in credit information systems, CRAs may use other publicly available sources such as public registers, provided that similar sources may solely be used in the same form as available for public consumption or as may be approved by the Commissioner. Such data shall only be used to cross-check the information related to credit, with the aim of guaranteeing proper identification and representation of data subjects in the information system. 24. Personal data available in the credit information system may be accessed and used by participants for the sole purpose of assessing the financial situation of data subjects prior to entering into a credit relationship with such data subjects, in compliance with the legal obligations established under the Consumer Credit Regulations LN 330 of 2010, and to monitor similar relationships once that these are established. In this respect, participants shall ensure that any verification on the financial status of a data subject is legitimate and necessary in line with the legal obligations established under the abovementioned instrument. For such reason, any evidence, including credit applications by the data subjects, or any relevant agreement shall be retained by participants for a period of 3 years to justify any access. Categories of personal data 25. The following data categories in relation to data subjects having defaulting debts may be recorded in the credit information system: a) Identification details which shall include name, surname, address, I.D. card or travel document number; b) The type of defaulting debt (i.e. failing to honour credit applications /relationships, dishonoured cheques, and/or bills of exchange, and the amount due; c) Court orders for settlement and executive warrants; d) Other information made publicly available by the Courts. 26. Where the information is communicated by participants to the CRAs, identification details of the participant providing the information shall be recorded in the credit information system. Similar details shall remain accessible to the CRA and the data subject concerned, whilst they shall not be available to other participants. 5

6 Information to data subjects 27. The processing of personal data in credit information systems shall be subject to the requirement to inform data subjects with the intended processes, which information shall at least satisfy the conditions of articles 19 and 20 of the Act. 28. CRA s shall have specific mechanisms and practices in place which facilitate the provision of information by participants to data subjects, during the various phases of a credit application/ relationship. 29. At the time of considering a credit application, and prior to carry out any verification with credit information systems, a participant shall, to the extent possible, inform the data subject that such verifications will be made in order to assess creditworthiness of the data subject. 30. If the credit application is not granted on the basis of negative credit information, the participant shall inform the data subject with the relevant details in relation to the credit information system consulted and the CRA managing such system. 31. Upon entering into a credit relationship, the participant shall inform the data subject that if he fails to honour the obligations arising from such relationship, information on defaulting debts will be disclosed to one or more CRAs in order to be recorded on their system(s) and made available to participants. The business contact details relating to CRAs in which the participant is a member shall also be provided to the data subject. 32. The information mentioned above shall be provided by means of written notices. In those cases where the information notice is provided by participants, given that direct contact will be possible with data subjects, it is recommended practice that such information notices are also signed by the data subject. In these cases, the signed notice will be kept by participants for evidence purposes, while the copy will be provided to the data subjects. In those instances where a data subject pays by cheque, a notice affixed on the cash counter is considered sufficient to inform data subjects on possible disclosures to CRAs in cases of defaults. 33. In order to ensure a homogeneous approach, CRAs are encouraged to develop model information notices which may be used to provide information to data subjects as specified in the abovementioned circumstances. Such model notices shall be approved by the Commissioner. 34. Where CRAs process personal data concerning civil Court judgements or decisions, and other documents which are made publicly available under the Code of Organisation and Civil Procedure, the obligation to inform data subjects about the intended processing does not apply, given that Article 20(3) of the Act, excludes such requirement when there are provisions concerning the registration or disclosure of personal data in any other law. 6

7 Retention of data 35. Personal data relating to defaulting debts which remain unsettled shall be retained in the credit information system for a maximum period of 6 years from the date of registration in the system. 36. In case of settlement or where a debt is otherwise no longer due, CRAs shall include such data in the credit information system clearly indicating that the debt has been settled or is no longer applicable. All personal data concerning similar debts shall be deleted from the system 18 months from the date when such liability becomes no longer due. 37. CRA s may retain anonymous data in aggregate form purely for statistical purposes. Updating and Verification Procedures 38. CRAs shall verify and update personal data on a regular basis and in any case, shall review the validity of such personal data at least every year. 39. In cases where information relating to a defaulting debt has been communicated by participants, such entities responsible for the initial registration in the system, shall have the obligation to notify and update the CRA with any changes concerning the status and the current amount pending in relation to such debt. The CRA shall take the necessary steps in order to update the information accordingly. 40. Where information has been obtained from public sources, such verification should be carried out with the public source(s) from where the information had been derived. In the case of publicly available data filed in Court regarding a debtor, in addition to verifications with the public source(s) such data shall also be crosschecked with the creditor where possible. Where it emerges that following a Court Order for settlement, the creditor offers payment terms by instalments to the debtor to settle the default, the CRA shall maintain close contact with the creditor where possible in order to update the information with the current pending amount. In the absence of additional defaults resulting from the payments by instalments specified above, the retention shall not exceed the period stipulated under point If further to verifications it emerges that a debt has been settled or is no longer due, the CRA shall take the necessary measures as specified under point Any evidence proving that verification has taken place shall be retained for a period of 1 year and shall be provided to the Commissioner upon request. 7

8 Rights of the data subjects 43. Data subjects shall be entitled to exercise their rights with respect to personal data recorded in the credit information system as stipulated under the Act. Such rights, namely the right of access, rectification, blocking or erasure, may be exercised both in respect of the CRAs and also in respect of participants responsible for communicating the data to the CRA. 44. Data subjects submitting a request to exercise their rights shall be required to provide sufficient details to the CRA or participant, together with a proof of their identity for secure identification. 45. The CRA or participant receiving the request shall be responsible to deal with such request and to inform the data subject with the outcome. Given the nature of credit information systems, when dealing with such requests, it may be necessary for CRAs and participants to work in close cooperation, and where appropriate to consult, refer, or carry out specific verifications in order to provide the data subject with an effective remedy. However, where this cooperation is necessary, the rights of data subjects should be respected. 46. In the event of any difficulty or disputes between CRAs and participants when dealing with a request for access of data from the data subject, such issues shall be primarily referred to the Personal Data Representative if such person has been appointed, and subsequently to the Commissioner for the necessary guidance. In any case, the data subject shall be entitled to seek further remedy directly from the Commissioner in line with the procedure established under the Act. Automated credit scoring techniques 47. Where credit information systems contain automated credit scoring techniques, the use of such functionality shall only be limited to assess a credit application or to manage credit relationships already set up. Personal data concerning credit scoring shall be processed and communicated by the CRA exclusively to the participant having received a credit application or otherwise already involved in a credit relationship with the same data subject. Information relating to credit scores may not be retained in the credit information system, nor may it be made available to other participants. 48. Where the participant has consulted results or otherwise obtained information derived from automated credit scoring techniques, as a result of which, a credit application/ relationship is refused or negatively affected, the data subject shall be informed by the participant about the use of such techniques. In similar cases, the data subject shall be entitled, upon request, to receive further information from the participant regarding the logic involved in such systems and the main factors that were considered. 8

9 Security Measures 49. CRAs and participants have an obligation in line with the Act to implement appropriate technical and organisational security measures to protect the personal data being processed. 50. Any access to the credit information system should be justified and therefore, in order to ensure a secure management of such system, CRAs shall keep audit logs in relation to each and every access carried out by its administrators and/or users authorised by participants of the system. A security audit in relation to such access shall be carried out every 2 years. Details of the security audits shall be made available, upon request, to the Commissioner. Transition Period 51. CRAs shall be required to implement the provisions contained in such guidelines one year from the date of adoption. Adopted on 15 th October